Adam Thierer's Blog, page 116

On the podcast this week, Annemarie Bridy, professor of law at the University of Idaho, and visiting associate professor of law at the University of Pittsburgh, discusses her new paper, "Is Online Copyright Enforcement Scalable?" In it she looks at the advent of peer-to-peer (P2P) file sharing and the copyright enforcement problem it has created through the lens of scalability. In solving difficult problems of scale in their effort to revolutionize the distribution of information goods, the designers of P2P networks created a problem of scale in the form of "massive infringement." Bridy discusses how to to approach solving that new problem of scale–massive infringement. Bridy argues that the DMCA has proven to be remarkably scalable for enforcing copyrights in hosted content but has altogether failed to scale in the context of P2P file sharing, leading to the dysfunctional workaround of mass John Doe litigation. She discusses alternatives to mass litigation, including dispute resolution systems and "three strikes" proposals.

Related Links


Is Online Copyright Enforcement Scalable?, by Bridy
"A massive collection scheme: Yet another judge slams file-sharing lawsuits,", Ars Technica"Citing 'Wrong Door' Cases, Judge Denies Use of IP Addresses to Identify Individuals", Technology Liberation Front

To keep the conversation around this episode in one place, we'd like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

The White House's release of its "Open Government Action Plan" today is timely. I'll be rolling out the product of several months' work on government transparency Friday at a Cato Institute event called "Publication Practices for Transparent Government: Rating the Congress."

The paper we'll release commences as follows:

Government transparency is a widely agreed upon goal, but progress on achieving it has been very limited. Transparency promises from political leaders such as President Barack Obama and House Speaker John Boehner have not produced a burst of information that informs stronger public oversight of government.

The reason is not lack of planning documents, meetings, or websites, as reading the White House's announcement today might suggest, but lack of specifically prescribed data publication practices that foster transparency. The government should publish data about its deliberations, management, and results in ways that make it amenable to all the varied uses of websites, researchers, reporters, and the public at large.

We'll be grading the Congress on how well it's doing with publication of data about formal legislative process. Congress is first because it's low-hanging fruit. We'll soon be turning to information the executive branch can make more transparent: budgets, appropriations, and spending.

The programs featured by the White House today—a new "We the People" petition platform, whistleblower protection, and an "Extractive Industries Transparency Initiative"—are fairly tangential. Fuller government transparency will be a product of specific good publication practices applied to data about the government's deliberations, management, and results.

More information, and registration for Friday's event, can be found here.

Yesterday, the Federal Trade Commission (FTC) released its long-awaited proposed revisions to the Children's Online Privacy Protection rule (the "COPPA Rule"). Below I offer a few brief thoughts on the draft document. My remarks assume a basic level of knowledge about COPPA so that I don't have to spend pages explaining the intricacies of this complex law and regulatory regime. If you need background on the COPPA law and rule, please check out this paper by Berin Szoka and me: "COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech."

Dodging the COPA / Mandatory Age Verification Bullet

The most important takeaway from yesterday's proposal involves something the FTC chose not to do: They agency very wisely decided to ignore some requests to extend the coverage of COPPA's regulatory provisions from children under 13 all the way up to teens up to 18.  An effort to expand COPPA's "verifiable parental consent" requirements to all teens would have raised thorny First Amendment issues as well as a host of practical enforcement concerns.  In essence, it would have required Internet-wide age verification of children and adults in order to ensure that everyone was exactly who they claimed to be online. We already had an epic decade-long legal battle over that issue when the constitutionality of the Children's Online Protection Act (COPA), another 1998 law sometimes confused with COPPA, was tested many times over and always found to be in violation of the First Amendment.

Regardless, the FTC didn't go there yesterday, so this concern is off the table for now. The agency deserves credit for avoiding this constitutional thicket.

Why Eliminate "Email Plus" Verification?

The FTC proposes the elimination of the current "e-mail plus" method of obtaining veritable parental consent. Under the COPPA rule's so-called sliding scale approach, sites:

may obtain verifiable parental consent through an email from the parent, so long as the email is coupled with an additional step.  Such additional steps have included: obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call, or sending a delayed confirmatory email to the parent after receiving consent.  The purpose of the additional step is to provide greater assurance that the person providing consent is, in fact, the parent.  This consent method is often called "email plus."

The FTC says that "email plus has outlived its usefulness and should no longer be a recognized approach to parental consent." That's crazy. A great number of sites and service that live under COPPA use this method to stay in compliance with the law. This pulls the rug out from under them and creates major short-term marketplace uncertainty.

So, why has the agency done this? It's not really because email plus has "has outlived its usefulness," rather, it's because the agency believes that "continued reliance on email plus has inhibited the development of more reliable methods of obtaining verifiable parental consent.  In fact, the Commission notes that few, if any, new methods for obtaining parental consent have emerged since the sliding scale was last extended in 2006." [p. 68]

That's a very interesting observation. But while I agree that few new parental consent methods have been introduced over the past five years, the FTC has not offered any conclusive evidence here that the existence of "email plus" is to blame. The fact of the matter is that online verification is hard, even the parental consent variety. In a different context, banks are still just having people pumping in 4-digit PINs at ATMs after a few decades of debit cards being on the market. That doesn't necessarily mean that the PIN# approach has stifled other forms of authentication, rather, it's still just the most simple and efficient way of doing things. The same is true of "email plus" in the COPPA context. Yet, the FTC is upending the process in the name of kickstarting innovation in the authentication space. It's an interesting gamble, but has the agency thought through the consequences of failure?

Importantly, sites and services that cater to children have also been focusing on putting other safety procedures and practices into place during this period. It's not like parental notification is the end of the online safety story. As I have always noted in all my work on COPPA, it is not what happens before getting in the door that counts. It is what happens after kids get inside that really counts. The FTC ignores that distinction here and just keeps insisting that we can find better ways to perfect "verifiable parental consent" mechanisms.

All this begs the question: Just what is it that the FTC is looking for that would be superior to "email plus"? For the reasons noted above, they obviously cannot force full-blown online age verification on the Internet. But does the agency want a more rigid, second-best verification system perhaps with a possible government role in the formal authentication process? They might. Read on..

So, What's This about Bringing Government IDs Into the Process?

The FTC makes another interesting proposal on the bottom of pg. 63 when it is discussing other mechanisms for obtaining verifiable parental consent. After rejecting SMS text messages and electronic "sign and send" methods for various reasons, the agency continues on to propose the following:

The Commission also proposes allowing operators to collect a form of government issued identification – such as a driver's license, or a segment of the parent's social security number – from the parent, and to verify the parent's identity by checking this identification against databases of such information, provided that the parent's identification is deleted by the operator from its records promptly after such verification is complete.

In one sense, this isn't at all surprising. Our government already engages in some official credentialing activities, so why not use the ones that we've already required to get to help out with COPPA enforcement?  How one answers that question depends on your disposition toward large government databases and the purposes to which they might be put. If you are inherently distrustful of government aggregating and cross-referencing massive amounts of data about the citizenry, the idea of using driver's licenses and Social Security numbers for yet another thing in this world will make you a bit nervous. It certainly makes me a bit paranoid, but mostly because of what I think might come next. If the FTC gets people accustomed to the idea of using "official" forms of identification to authorize online activities, that could be a slippery slope to something far more troubling. It may just start with just driver's licenses and the last four digits of your Social Security numbers, but that might not be where it ends. Why not throw some biometric identifiers in the mix? Let's have kids get retinal scans as the schoolhouse door at the beginning of each school year and then make mom and dad get one too so that we can match the whole gang up next time junior wants to visit Club Penguin! [By the way, who in government collects all this info and gets to use it?]

Moreover, if the FTC is now getting rid of the "email plus" verification process and dismissing text messages and electronic "sign and send" methods as alternative, then one could argue that–at least indirectly, if not intentionally–the FTC is starting to tip the market in favor of government solutions to online credentialing.

Perhaps I'm being a bit paranoid here. But when I was serving on the Harvard Berkman Center online child safety task force a few years ago, I saw all sorts of online verification schemes pitched to us, some of which would have government requiring biometric identifiers or other types of digital tokens be utilized in an effort satisfy some amorphous online authentication requirements. I'm not saying that's where this particular FTC is taking us, but they're at least opening the door to more "official" government credentialing efforts in the future with this proposal.

Video Conferencing as a Verification Method? Really?

Just as an aside, I must say that I find one of the few new verification methods the FTC endorses–"having a parent connect to trained personnel via video-conference"–to be a bit surprising. (Seriously, did the lobbyists at Skype sneak this proposal in there?!)  The agency states:

The Commission agrees that now commonly-available technologies such as electronic scans and video conferencing are functionally equivalent to the written and oral methods of parental consent originally recognized by the Commission in 1999.  Therefore, the Commission proposes to recognize these two methods in the proposed Rule.

A couple of people on Twitter yesterday pointed out how unlikely it is that video conferencing could be a scalable, workable solution to obtaining verifiable parental consent. Of course, to be fair, this is not the only consent mechanism the agency is suggesting, so I suppose FTC officials would say it's just an additional verification method from which sites can choose.

But what I have a hard time imagining is that any parent would want to sit down in front of a webcam, fire up Skype (or whatever other video conferencing service they prefer), and start a video chat with some random bloke who works for an online site or service. A lot of parents will find that annoying; potentially even a bit creepy!

More practically, smaller sites probably just don't have the manpower or resources to make this solution work. Making people available at all hours to get on a video chat with a parent so that their kid can get on the site is just not going to be a workable verification solution for anyone except the largest online sites and services.

Do Data Deletion Requirements Foreshadow a Push for "Eraser Button" / "Right to be Forgotten"?

On pg. 78, the FTC proposes adding a new data retention and deletion provision to the COPPA regulatory regime:

The proposed provision states that operators shall retain children's personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.  In addition, it states that an operator must delete such information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

In one sense this is commendable. It really would be wise for more online sites and services–especially those who handle kids info–to consider purging unneeded data more frequently. It helps minimize the potential for data security breaches and other problems.

That being said, I have to wonder how this proposal plays into the emerging debate over mandatory online "eraser buttons" and what the Europeans call "the right to be forgotten." I recently released a Mercatus Center working paper ("Kids, Privacy, Free Speech & the Internet: Finding The Right Balance"), which examined these notions in greater detail. Simply put, an Internet "eraser button" is challenged by practical realities and principled concerns. It's unclear how to even enforce such a notion. Moreover, if it could be enforced, it would raise profound free speech issues since it is tantamount to digital censorship and specifically threatens press freedoms. And the economic costs of such a mandate — especially on smaller operators — could be quite significant. See my recent Forbes essay for a discussion of those problems.

Again, the FTC is not proposing a formal "eraser button" in its latest COPPA revision. But by pushing for additional steps to be taken on the data deletion front, the agency might encourage more congressional interest in this topic. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have already included an eraser button proposal in their "Do Not Track Kids Act of 2011." It will be interesting to see what happens next on this front.  Free speech and privacy rights are on a major collision course here if steps to encourage data deletion become formalized as law or regulatory proposals.

Conclusion

There's much, much more in the FTC draft to consider that I'm going to hold judgment on for now. For example, plenty has already been said by others regarding the FTC's proposal to update the definition of "personal information" to include geolocation information and certain types of persistent identifiers used for functions other than the website's internal operations, such as tracking cookies used for behavioral advertising.  That's going to lead to all sorts of heartburn for a wide variety of online sites and service providers. It's also going to complicate the wireless world as geolocation services expand and become a more ubiquitous part of our mobile digital experiences. But, again, I'm going to hold off on saying more on that for now.

In closing, the broader, more important questions that need to be asked are:

Will these new proposed amendments and expanded regulatory requirements really do anything to make kids safer or their information more secure?
Has the FTC even attempted to conduct a rough cost-benefit analysis of these new regulations?
Have the specific burdens these new rules might impose on smaller operators even been considered?
Correspondingly, will expanded COPPA regulations discourage new innovations that could offer kids and parents more rewarding online experiences?
And, finally, will the new rules have an impact on the online cost equation by forcing various sites and services to charge higher prices–or charge prices for services that were previously free?

The Commission gives some lip service to these concerns toward the end of the document when it notes on page 94:

While the Rule's compliance obligations apply equally to all entities subject to the Rule, it is unclear whether the economic burden on small entities will be the same as or greater than the burden on other entities.  That determination would depend upon a particular entity's compliance costs, some of which may be largely fixed for all entities (e.g., website programming) and others variable (e.g., Safe Harbor participation), and the entity's income or profit from operation of the website itself (e.g., membership fees) or related sources (e.g., revenue from marketing to children through the site).  As explained in the Paperwork Reduction Act section, in order to comply with the rule's requirements, website operators will require the professional skills of legal (lawyers or similar professionals) and technical (e.g., computer programmers) personnel.  As explained earlier, the Commission staff estimates that there are approximately 2,000 website or online services that would qualify as operators under the proposed Rule, and that approximately 80% of such operators would qualify as small entities under the SBA's Small Business Size standards.  The Commission invites comment and information on these issues.

It'll be interesting to see what sort of feedback the FTC gets on that point. What I hope the agency and others understand is that questions like these are not just about the future of online business interests. Rather, these questions cut to the core of whether the public–including children–will be served with more and better digital innovations in the future. As we've noted countless times before here, there is no free lunch. Regulation–even well-intentioned regulation like COPPA–is not a costless exercise. There are profound trade-offs for online content and culture that must always be considered.

Additional Resources / Reading:

FTC press release announcing new COPPA revisions
the new proposed amendments [122 pages]
summary of revisions by IT Law Group
summary of revisions by Information Law Group
comments on proposed changes from COPPA expert Izzy Neis
my recent paper on potential dangers of COPPA expansion & mandatory "eraser button"
my paper with Berin Szoka, "COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech"

 

A few days ago, Ars Technica asked me to comment on a class action lawsuit against Paxfire, a company that partners with Internet Service Providers for the purpose of "monetizing Address Bar Search and DNS Error traffic." The second half of that basically means fixing URL typos, so when you accidentally tell your ISP you want the webpage for "catoo.org," they figure out you probably mean Cato. The more controversial part is the first half: When users type certain trademarked terms into a unified address/search bar (but not a pure search bar, or a search engine's own home page), Paxfire directs the user to the page of paying affiliates who hold the trademark. So, for instance, if I type "apple" into the address bar, Paxfire might take me straight to Apple's home page, even though Firefox's default behavior would be to treat it as a search for the term "apple" via whatever search engine I've selected as my default.

The question at the heart of the suit is: Does this constitute illegal wiretapping? A free tip if you ever want to pose as an online privacy expert: For basically any question about how the Electronic Communications Privacy Act applies to the Internet, the correct answer is "It's complicated, and the law is unclear." Still, being a little fuzzy on the technical details of how Paxfire and the ISP accomplished this, I thought about what the end result of this was without focusing too much on how the result was arrived at. The upshot is that Paxfire (if we take their description of their practices at their word) only ends up logging a small subset of terms submitted via address bars, which are at least plausibly regarded as user attempts to specify addressing information, not communications content. In other words, I basically treated the network as a black box and thought about the question in terms of user intent: If someone who punches "apple" into their search bar is almost always trying to tell their ISP to take them to Apple's website, that's addressing information, which ISPs have a good deal of latitude to share with anyone but the government under federal law. And it can't be wiretapping to route the communication through Paxfire, because that's how the Internet works: Your ISP sends your packets through a series of intermediary networks owned by other companies and entities, and their computers obviously need to look at the addressing information on those packets in order to deliver them to the right address. So on a first pass, it sounded like they were probably clear legally.

Now I think that's likely wrong. My mistake was in not thinking clearly enough about the mechanics. Because, of course, neither your ISP nor Paxfire see what you type into your address bar; they see specific packets transmitted to them by your browser. And it turns out that the way they pull out the terms you've entered in a search bar is, in effect, by opening a lot of envelopes addressed to somebody else.

Some quick Internet 101: When you type "apple.com" into your address bar, your browser first checks with your ISP (or, if you're a techie, maybe with some other Domain Name System server you've specified) to look up the computer-friendly numerical address corresponding to the human-friendly URL. Then the browser sends a GET request—basically just a packet saying "give me this page please"—to the IP address of the machine where it think apple.com lives. But if you just type "apple" into a lot of modern browsers, then depending on their settings, they may not pass that on to your ISP's DNS server at all. Instead, the browser recognizes that you've entered something that isn't formatted like a URL, and sends a packet straight to your default search engine, whose content is "please give me a page of results for the search term apple." That's annoying to the ISP, because it means they get cut out of an opportunity to monetize your eyeballs by (for instance) charging Apple to send you straight there, or delivering you their own search results (with their own ads).

According to some network researchers who explained their findings at EFF's site, here's how Paxfire and some of its ISP partners have apparently solved the "problem." When your browser goes to look up the IP address of your default search engine—that is, when it asks your ISP's domain name server where it can find "Bing.com" or "Google.com"—the ISP just systematically lies. It tells your browser that one of Paxfire's servers is really Google.* Paxfire then acts as an invisible proxy, or "man in the middle": It looks at the request your browser was trying to submit to Google, and in most cases resubmits the identical request to Google itself, then passes along Google's response without logging anything. An ordinary user wouldn't notice that Paxfire had been involved at all. But! When their servers see a search that was both originated from a browser's address bar (the search parameters apparently reveal this) and matches their list of trademarked terms, they'll log the query and instead return their own page.

The crucial point here is that by the time the packet gets to Paxfire, it's no longer ambiguous whether "apple" was supposed to be an address or a search term. By the time it gets to Paxfire, "apple" is the content of a message addressed to Google, which reads "please send me search results for apple, and by the way, I'm asking from a Firefox address bar." The mechanics are opaque to the average user, but Paxfire is in effect combing through all these messages to find the ones that maybe, possibly, perchance the user really meant to be an address rather than a search request, because they don't really understand how their browsers work. And thaaats kinda wiretappy.

Except, of course, it's still complicated. If an ordinary citizen taps your phone or your Internet connection, they're guilty of wiretapping (a felony, for those keeping score at home) the instant they "acquire" the communication, regardless of what they do with it. If I rig your computer to send me copies of all your emails (without your consent), it makes no difference whether I ever read any of them or use them for any purpose. If, for some bizarre reason, I've done this and then set my system set to automatically erase the e-mails upon receipt, I'm still equally guilty of illegal "interception" of your communications. (It's a separate offense to "use" or "disclose" communications that have been illegally intercepted.) The crime occurs at the instant of acquisition.

The rules are different for telecom companies, because the only way to have communications on a packet switched network is for various intermediaries to "acquire" your communications in order to pass them along. So the Wiretap Act's definition of "interception" explicitly excludes acquisition by a provider's computers in the "ordinary course of business." It's a separate offense for the provider to "divulge" the contents of a communication to any third party, and here there's no loose "ordinary course of business" exception. Third-party disclosure is allowed when it's a "necessary incident" of providing the communications service, or when the contents are passed to an entity whose facilities are used to forward the communication to its intended recipient, or with the consent of one of the parties to the communication. (There are a bunch of other exceptions, but they're not relevant here.) The interesting wrinkle here is that while for most of us, it's simple to determine when we've "intercepted" a communication, for telecom providers it's kind of complicated: Unlike the rest of us, they're allowed to acquire and disclose other people's communications in the ordinary course of business, so whether an illegal interception has occurred doesn't just depend on where the data goes, but on what they're doing with it, and why.

Unsurprisingly, Paxfire's reply to the suit against them seeks to invoke the "ordinary course of business" exception, among other arguments. Exactly what qualifies as the "ordinary course of business" in this rapidly changing industry is an open question, and circuit court rulings are all over the map, with none directly on point. If that were what we had to assess, I might say flip a coin. But the standard for "divulging" to third parties is more stringent—which makes sense, when you think about it. The law essentially gives providers more leeway in deciding what kinds of internal monitoring or processing are necessary, but sets a higher bar for disclosure to others.

Claiming that redirection of search traffic to Paxfire is a "necessary incident" of service seems like a nonstarter. The more obvious out for the ISPs here is 18 U.S.C. 2511(3)(b)(iii), authorizing disclosure to a person whose facilities are used to forward the message. But a little common sense is needed here: Anyone eavesdropping on a realtime packet-switched communication would normally forward the intercepted packets to their intended recipients. We can't read this as a sort of blanket loophole for wiretapping executed as a man-in-the-middle attack.

What seems dispositive here is that, while Paxfire is ultimately forwarding most query packets to their intended recipients, ISPs aren't routing traffic through Paxfire as a means of getting it to the intended recipient, Google. The more direct way to achieve that would be not lying to our browsers when they ask for Google's IP address, and letting our requests go through normally. Rather, the only rationale for routing the traffic to Paxfire is what they do other than the normal routing and forwarding Internet switches do. The only difference Paxfire makes is that it sometimes doesn't just forward packets to their intended recipients in the normal way, but sends the user to some affiliate's page instead. It would make a kind of nonsense of the statute to apply the forwarding exception to these circumstances.

Perhaps counterintuitively, it's not nearly as clear that Paxfire itself falls on the wrong side of the law here, because a court might well regard their actions as covered by the telecom provider's "ordinary course of business" restriction on the statutory definition on "interception." If everyone whose traffic was routed through Paxfire had clearly given informed consent to the filtering and occasional rerouting of their search queries, what Paxfire's doing would clearly be legal, and one could argue it's really the ISP's problem to ensure they're allowed to pass along the traffic they do.

That, of course, brings us back to the crucial question of consent. All of this is moot if the ISPs had the informed consent of their subscribers to do this. Paxfire says they all did, pointing to privacy policies like this one on RCN's website. But it's not clear that this does or should meet the relatively high standard for consent to interception under the Wiretap Act. Congress clearly wanted to establish a pretty strong presumption against the interception of communications content. In this case, that means that when monitoring or disclosure go beyond the "ordinary course" and "necessary incident" exceptions, it seems appropriate to demand that each individual whose communications are intercepted have actual, specific, effective notice that their communications are subject to interception. In considering a case involving workplace monitoring of an employee's personal calls, the 11th Circuit gave an indication of the stringency of the consent requirement:

It is clear, to start with, that Watkins did not actually consent to interception of this particular call. Furthermore, she did not consent to a policy of general monitoring. She consented to a policy of monitoring sales calls but not personal calls. This consent included the inadvertent interception of a personal call, but only for as long as necessary to determine the nature of the call. So, if Little's interception went beyond the point necessary to determine the nature of the call, it went beyond the scope of Watkins' actual consent.

Consent under title III is not to be cavalierly implied. Title III expresses a strong purpose to protect individual privacy by strictly limiting the occasions on which interception may lawfully take place.

Your mileage may differ, but that sounds hard to square with the claim that "consent" exists for each user provided that whichever member of the household pays the bills checked a box next to a link to a dozen pages of dense legal boilerplate, which studies suggest nobody actually reads. Title III, after all, is to a substantial extent a regulation of telecom operators themselves—which means it would be contrary to the purpose of the statute to let them so easily disclaim liability, and to pile broad new exceptions atop the detailed list Congress created.

The key point to bear in mind here is that the strong statutory presumption against interception is of enormous benefit to the providers. People normally don't scrutinize the legal boilerplate on ISP privacy policies, I want to suggest, because they take for granted that wiretapping is illegal, and that ISPs will not, in fact, routinely allow marketers to sift through the contents of their private communications. If users and customers had to fear that a communications provider was likely to assert the right to do this, based on item D(3) on page 12… a lot of providers would lose a hell of a lot of business, because most people don't want to have to get a JD in order to be able to feel confident they can communicate securely. I know some of my libertarian friends will say it would be better if everyone did have to pay close attention to all these clickwrap contracts, but in the world we currently live in, people do rely on the strong statutory default prohibiting interception and disclosure. Providers whose business depends pretty heavily on consumer expectations of a strong default shouldn't be allowed to turn around and assert that the default is actually so weak as to be almost trivially overcome when it might permit them to rake in a few extra bucks on the side.

* Actually, they've apparently stopped proxying Google specifically, but roll with me for illustrative purposes.

Come hear the other side of the privacy debate! Rep. Marsha Blackburn (R-TN) will lead a discussion among policy experts united by a desire to address demonstrated dangers of data abuse without giving up the value created by data as the vital currency of the digital economy. The Roundtable  is Wednesday, September 14, 8-9:30 am in Congressional Visitors Center Meeting Room North, CVC 268:

The roundtable discussion will cover online privacy issues in anticipation of the final reports to be released this fall by the Department of Commerce and the Federal Trade Commission. Invited participants will consider questions and policy issues related to the value of data, where government should or shouldn't be involved in regulating online privacy, and alternatives to government regulation.

Congressman Blackburn, a member of the House Energy and Commerce Subcommittee on Telecommunications and vice chair of the Subcommittee on Commerce, Manufacturing, and Trade, pledged to conduct a national series of tech industry roundtables in a speech to the Telecommunications Industry Association earlier this year. Her first roundtable was held in late June at the Interactive Advertising Bureau's new online advertising community center in New York City. Congressman Blackburn also recently wrote an op-ed titled "The FTC's Internet Kill Switch" that addresses why any proposed privacy regulation must consider the costs of diminished competition and innovation.

I shared my thoughts on Rep. Blackburn's healthy skepticism of regulation in a CNET editorial in June: On Online Privacy and Avoiding overregulation. The TLF's Ryan Radia (Competitive Enterprise Institute), Jim Harper (Cato), Larry Downes and I (both TechFreedom) will be there.  Joining us will be Howard Beales (George Washington University School of Business), Daniel Castro (Information Technology and Innovation Foundation), Harold Furchgott-Roth (Hudson's Center for Economics of the Internet), Tom Lenard (Technology Policy Institute) and Randy May (Free State Foundation)/

Adam Thierer & I laid out our "Principles to Guide the Debate" on online privacy nearly three years ago, asking that those proposing regulation:

Identify the harm or market failure that requires government intervention.
Prove that there is no less restrictive alternative to regulation.
Explain how the benefits of regulation outweigh its costs

I'll continue to argue for a "layered" approach to privacy, as I did in my FTC comments nearly two years ago:

1. Erect a higher "Wall of Separation between Web and State" by increasing Americans' protection from government access to their personal data—thus bringing the Fourth  Amendment into the Digital Age (such as through ECPA reform).
2. Educate users about privacy risks and data management in general as well as specific practices and policies for safer computing.
3. Empower users to implement their privacy preferences in specific contexts as easily as possible.
4. Enhance self-regulation by industry sectors and companies to integrate with  user education and empowerment.
5. Enforce existing laws against unfair and deceptive trade practices as well as state privacy tort laws.

The video of the event should be online later this week. I'll be trying to tweet on the #privacy hashtags and also #BlackburnPriv. Hope to see you there!

And remember, we're having a joint happy hour with the Electronic Frontier Foundation Wednesday evening, 5:30-8:30 at Johnny's on the Half Shell on Capitol Hill.

 

On the podcast this week, Timothy B. Lee, adjunct scholar with the Cato Institute, a contributor to Ars Technica, and blogger at Forbes.com, discusses the recent patent wars and the prospects for reform. Over the last two decades, large software companies like Microsoft and Apple began acquiring a significant number of patents, gaining the power to shut down or demand payment from any software company that might inadvertently infringe those patents. Lee talks about Google's entry into the patent game, particularly with the acquisition of Motorola. He also discusses the theory behind these patent wars and how the use of patents have been altered from incentives for innovation to a litigation shield. Finally, Lee talks about different proposals for patent reform, including a first to file scheme that is part of the America Invents Act.

Related Links

"Mostly pointless patent reform bill goes to Obama for signature", Ars Technica"Specialist Patent Courts Are Part Of The Problem", Forbes.com"Google, Motorola and the Patent Wars", The Wall Street Journal

To keep the conversation around this episode in one place, we'd like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

[Cross-posted at Reason.org]

In the wake of the Department of Justice's lawsuit to stop the merger of AT&T and T-Mobile USA, there has been some discussion about where T-Mobile would end up if the government effort proved successful.

While debate continues whether a merged AT&T-T-Mobile would harm consumers, there is no disputing that T-Mobile itself is mired in business problems. For all the DoJ's concern that T-Mobile remain in the market as a low-priced alternative for consumers, the company is short of the cash necessary to expand infrastructure at a pace to remain technologically competitive. Blocking the AT&T deal would not necessarily keep Deutsche Telekom, T-Mobile's German parent, from seeking other buyers. Last week, Dave Goldman of CNN Money summed the situation up in "Without AT&T, T-Mobile is a White Elephant." The facts he lays out are among the reasons the merger makes sense.

Yet let's assume for a minute that the DoJ is successful in stopping the merger. A number of pundits both from both the business and the policy side have suggested other potential buyers could rescue T-Mobile. Sascha Segan at PC Magazine provided a good summary here.

Segan was just one of many analysts who pointed to Google, Apple and Comcast (or a cable company consortium) as potential T-Mobile buyers. There are numerous reasons as to why these companies might or might not make a bid. Yet what I find interesting the way several critics of the AT&T deal are almost giddy with the idea that one of these companies might jump at T-Mobile, noting that the entry of a deep-pocketed non-carrier might be a good development for the consolidating wireless industry.

That may be true, but such scenarios raise issues of their own. For if the conventional wisdom is that AT&T's acquisition of T-Mobile is anticompetitive, how can any of these of these other merger proposals be justified?

Although it's treated as second nature, the use of antitrust to enforce a competitive status quo, as the DoJ is attempting here, is rather novel and derives more from recent European antitrust policy that U.S. jurisprudence. Together AT&T and T-Mobile would simply combine wireless network assets. Although the Feds often give similar intra-sector mergers in other industries (airlines, retail, media) a long look, in the end, they rarely withhold approval.

On the other hand, U.S. antitrust law historically has tended to frown on vertical integration, especially attempts to control key portions of the supply chain so as to create a monolithic organization that effectively monopolizes manufacturing, supply and all avenues to market.

Hence, movie studios were forced to divest theater chains. Oil and mining trusts were divorced from rail and transportation interests. Even early telecom policy attempted to structurally separate the "wholesale" network from retailing.

Most of the alternative T-Mobile tie-ups raise these supply chain issues. Like it or not, current tech policy demands we apply an "ifs, ands or buts" test to all industry activity. That is, any possibility, no matter how remote, that a merger, partnership, agreement or innovation might lead to unfair market domination must be regarded as an inevitable outcome, and therefore, pre-emptively regulated or blocked.

With this is mind, I offer the following thoughts on three potential suitors for T-Mobile if the AT&T is squelched.

Google:

Google is already under the Federal Trade Commission's antitrust microscope because it owns applications that can be bundled with search. In particular, the FTC wants to know if Google is structuring search results to rank its own services higher. Then there's the ongoing debate over the degree to which Google controls the online ad space. Recall the uproar over its purchase of Doubleclick.

So, if DoJ says AT&T and T-Mobile creates an antitrust problem, how could it then sanction T-Mobile's sale to a company that: 1) is the leader in organizing the presentation of information on the Web; 2) Is a de facto gateway to numerous sites and applications; 3) Is the developer and owner of Android, a leading smartphone operating system, and 4) is buying the mobile device business of Motorola?

"If, ands and buts:"  Assuming the Google's acquisition of Motorola goes through, adding T-Mobile will create a company that makes a proprietary operating systems for handsets, owns a handset manufacturer, and controls a national mobile network over which its OS and handsets conceivably could be engineered to its advantage (at least you make the case). With T-Mobile's wireless assets, Google could also influence the way its search engine and applications run over the network, locking out T-Mobile customers from other search sites and other apps.

Apple:

An Apple deal would run into much of the same problems as Google. Apple manufactures a proprietary handset, the iPhone. It also owns the on-line iPhone store, and has come under fire for keeping too close a rein on the distribution third-party applications for the device, as well as for eschewing certain software, such as Adobe Flash. Steve Jobs, its outgoing CEO, is the majority shareowner of Disney, a media and content giant. Apple fails the "ifs, ands and buts" test because ownership of T-Mobile would give it a means to hijack conventional Internet channels to the detriment of other content providers. This could be viewed as unfair competition, even a potential network neutrality violation. Apple would be able to engineer iPhones to wireless network specifications that it would not share with other smartphone makers. As with Google, an Apple-T-Mobile tie-up, if we use current DoJ standards, creates more antitrust problems than AT&T does.

Comcast:

Only the cable companies exceed the phone companies in political unpopularity. Comcast is the leading cable provider in the U.S., owner of NBCUniversal (which was competed despite protest form that same activists trying to block AT&T-T-Mobile), an owner of sports franchises and a sports arena. Already activists complain that Comcast and its brethren aim to use their cable network assets to hobble Netflix, Hulu and other video programming competitors that use their infrastructure to deliver video content.

"Ifs, ands and buts:" You could easily charge that Comcast poses the same threat to any video applications and content that can be delivered wirelessly. Why would it even want to invest in 4G wireless if all this would do was provide more bandwidth for video competitors? How could Comcast be given control of billions of dollars of spectrum and a mobile network alongside an extensive landline fiber network and not use that power to threaten competition?

This is more than a snarky exercise. As a supporter of free market solutions, I don't have too many misgivings about any of these scenarios. What concerns me is that the DoJ's intervention in the AT&T-T-Mobile deal carries with it a temptation to direct the market toward an outcome the current more favorable to the current political prejudices. We've already seen administration's overt favoritism in the energy sector.

I'm not saying this is the DoJ's desired aim, but the question hangs there: Given T-Mobile's precarious state–if the government deems AT&T is an unacceptable buyer–who, then, is acceptable? When most other buyers also raise similarly provisional antitrust concerns, rejecting one in favor of another will appear arbitrary and smack of central planning.

Although it may not be popular to say so, shareowners have rights, including the right to sell their stock at the best offer. We've given the government the power to overrule these rights if they deem the sale is in the public interest. That's why the DoJ has to mind the consequences of a blocked sale, for if AT&T-T-Mobile does not serve the public interest, neither, by its own reasoning, do any of the other scenarios outlined above. If it rejects one, it needs to reject the others. Anything else turns its exercise into one of industrial policy rather than protection of the public.

If you're in DC this week, join Kevin Bankston from EFF, myself, fellow TLFers Berin Szoka, Geoff Manne, and Larry Downes, starting at 5:30pm at Johnny's Half Shell, 400 North Capitol St NW. This event is being co-hosted by TLF and the Electronic Frontier Foundation (EFF). Please RSVP on Facebook so we have an idea how many people are attending. Attendees must be 21 or older. Space is limited.

And ALF 15 is already in the works. We're planning to do it in conjunction with Digital Capital Week on November 8th. Stay tuned for more details!

I've reviewed many tech policy books here over the years, but have only found myself in agreement with a couple of titles. One of my favorites is "The Laws of Disruption" by fellow TLF co-blogger Larry Downes.  [My short review is here]  Larry does a terrific job documenting the technological forces (or "laws" as he calls them) that our reshaping the modern economy.

The fundamental law of disruption he identifies is: "Technology changes exponentially, but social, economic, and legal systems change incrementally." Downes says this law is "a simple but unavoidable principle of modern life" and that it will have profound implications for the way businesses, government, and culture evolve going forward. "As the gap between the old world and the new gets wider," he argues, "conflicts between social, economic, political, and legal systems" will intensify and "nothing can stop the chaos that will follow."  He's exactly right and I'll be elaborating on that "law" in more detail in a new paper with Jerry Brito as well as in my next book, which I'm finishing up currently.

Anyway, with Larry's "law" in mind, I couldn't help but laugh out loud when I was reading this Reuter's summary of a recent editorial from the People's Daily, the main newspaper of China's ruling Communist Party. The commentary lambasted the Internet, social networking technologies, and online culture. It contained this gem of quote that proves the Chinese government has a firm grasp of the Law of Disruption: "We have failed to take into sufficient account just how much the Internet is a double-edged sword, and have a problem of allowing technology to advance while administration and regulation lag."

So, the Chinese certainly get it. Regrettably, they are not about to stop trying to control the Internet, social networking platforms, or digital technology. In fact, the editorial also noted that, "Unless administration is vigorous, criminal forces, hostile forces, terrorist organizations and others could manipulate public sentiment by manufacturing bogus opinion on the Internet, damaging social stability and national security." Ah yes, all the old "safety and security" bogeymen. If we don't have control, the sky will fall! Lots of people think that these days, not just Chinese commies. That pessimistic Chicken Littlism is exactly what my next book aims to debunk.

Instead of living in a state of denial about the Law of Disruption or, worse yet, actively ignoring by seeking to slow or control technological change, we should instead be embracing it and finding ways to cope and adjust to the new realities of a world ubiquitous connectivity and information abundance. Progress depends on it.

For CNET this morning, I have a long article reviewing the sad recent history of how local governments determine the quality of mobile services.

As it  turns out, the correlation is deeply negative.  In places with the highest level of user complaints (San Francisco, Washington, D.C.), it turns out that endless delays or outright denials for applications to add towers and other sites as well as new and upgraded equipment is also high.  Who'd have thought?

Despite a late 2009 ruling by the FCC that put a modest "shot clock" on local governments to approve or deny applications, data from CTIA and PCIA included in recent comments on the FCC's Broadband Acceleration NOI suggests the clock has had little to no effect.  This is in part because the few courts that have been asked to enforce it have demurred or refused.

Much of the dithering by local zoning boards is unprincipled and pointless, a sign not so much of legitimate concerns over safety and aesthetics but of incompetence, corruption, and the insidious influence of  outside "consultants" whose fees are often levied against the applicant, adding insult to injury.

For example, in El Cerrito, CA, about a mile from my house, officials sat for two years an on application to site a tower disguised as a tree on a Boy Scout camp , then passed a two-year moratorium on any new facilities.  (I know that camp well–it is in the midst of a giant chain of parks that run the ridgeline of the Berkeley Hills, thick with invasive, non-native trees that have an unfortunate tendency to explode during fire season.)   In Berkeley, CA, where I live, even applications to collocate new antennae on existing towers require a full review and hearing.

Other city and county boards simply delay or deny, or introduce bizarre requirements, including that any new equipment must be shown to benefit only residents of the jurisdiction.

The "shot clock" rule also banned a common practice among many communities of denying any application for new equipment if an existing mobile provider already served the area.  Yes, that's right.  With all the hand-wringing and crocodile tears over mobile competition and the danger of the AT&T/T-Mobile merger, many parts of the U.S. prohibit new competitors from entering.

Some communities are still enforcing that rule, and the few court cases that have interpreted the FCC ruling haven't always embraced it.

Why does this matter?  There are two principal inputs to a cellular network that determine quality of service for customers:  spectrum and cell sites.  Both are under the thumb of government control and constraint.  (Geoff Manne's recent rant on spectrum is well worth reviewing.)  Over the last five years, the four major providers have invested billions in new infrastructure, and would have invested more, as the FCC acknowledges, were it not for the interference of local governments.   In 2009 alone, over $20 billion was invested, representing 13% of total industry revenue.

 

Capital Expenditure by Carrier

Source:  Federal Communications Commissison

If service is poor in some parts of the country, we have only ourselves to blame. But as one commentator to my article put it, it's so much more fun to blame the device or the carrier.

Or, not so funny, to take a "principled" stand on behalf of competition to block a merger designed to evade these increasingly dangerous roadblocks,